Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/Tax-Themed Google Ads Deliver EDR-Disabling Malware
Threats

Tax-Themed Google Ads Deliver EDR-Disabling Malware

Key Takeaways A pervasive malvertising campaign, active since at least January 2026, is leveraging Google Ads with tax-themed lures. The campaign delivers a legitimate remote management tool,...

Marcus Rodriguez
Marcus Rodriguez
March 23, 2026 4 Min Read
43 0

Key Takeaways

  • A pervasive malvertising campaign, active since at least January 2026, is leveraging Google Ads with tax-themed lures.
  • The campaign delivers a legitimate remote management tool, ScreenConnect, which attackers then exploit to deploy a kernel-mode EDR killer.
  • The EDR killer, named HwAudKiller, utilizes a signed Huawei audio driver to bypass and terminate prominent endpoint security solutions like Windows Defender, Kaspersky, and SentinelOne.
  • Post-compromise activities indicate a clear intent for ransomware deployment or initial access brokering.

As tax season approaches, a period marked by heightened digital activity for millions of Americans, cybercriminals are exploiting the urgency surrounding tax filings. Cybersecurity firm Huntress has recently uncovered a sophisticated malvertising campaign that uses deceptive Google Ads to distribute an EDR-disabling malware.

Table Of Content

  • Key Takeaways
  • The Malvertising Attack Chain
  • Inside the BYOVD EDR Kill Mechanism
  • Evasion Techniques of FatMalloc
  • HwAudKiller’s Kernel-Mode Evasion
  • Broader Campaign Indicators
  • What You Should Do

This large-scale operation, active since at least January 2026, directs users searching for tax documents like W-2 and W-9 to fraudulent landing pages. These pages meticulously mimic official IRS compliance portals, specifically designed to ensnare employees, freelancers, and small business owners during the critical tax filing period.

The Malvertising Attack Chain

The attack initiates when a user searches for common tax forms on Google. A sponsored advertisement leads them to a deceptive domain, such as anukitax[.]com, which then redirects to bringetax[.]com. This secondary domain acts as the delivery platform for a malicious ScreenConnect installer, disguised as a legitimate tax form file named form_w9.msi.

ScreenConnect, a legitimate remote management utility, is frequently installed by victims without suspicion due to its trusted reputation. Once installed, the attackers gain full, unrestricted “hands-on-keyboard” access to the compromised machine via a trial cloud instance. This bypasses typical enterprise approval processes and IT oversight, providing a direct conduit for further malicious activities.

Huntress researchers identified this campaign during routine threat hunting, discovering over 60 suspicious ScreenConnect sessions across their client base. What initially appeared as isolated remote tool activity quickly revealed itself as a coordinated, multi-stage operation. The attack employs a deeply layered payload specifically engineered to completely neutralize endpoint security tools. Based on observed post-access behaviors, the ultimate goals of this campaign appear to be either the deployment of ransomware or the sale of initial access to other threat actors.

Inside the BYOVD EDR Kill Mechanism

Upon gaining initial access through ScreenConnect, the attackers deploy a multi-stage crypter known as FatMalloc, executed from ScreenConnect’s working directory. To maintain persistence and resilience against partial remediation attempts, they also install backup tools like FleetDeck, often establishing two to three relay instances per host.

The final and most critical payload is HwAudKiller. This component leverages a previously undocumented Huawei audio driver (HWAuidoOs2Ec.sys) to disable leading endpoint detection and response (EDR) solutions, including Windows Defender, Kaspersky, and SentinelOne, directly from kernel mode.

Once the EDR defenses are neutralized, the attackers proceed to dump LSASS credentials and utilize NetExec to harvest accounts across the network. This pattern of credential harvesting and lateral movement is highly consistent with pre-ransomware activities, indicating a strong likelihood of subsequent ransomware deployment.

Evasion Techniques of FatMalloc

FatMalloc employs several sophisticated techniques to evade detection:

  • Memory Allocation Trick: The crypter begins by allocating and then immediately freeing 2GB of memory. This tactic is designed to overwhelm and time out antivirus emulators, which cannot afford to simulate such a large memory operation, preventing them from reaching the actual payload. Sandboxes with limited memory will fail this allocation, causing the malware to exit silently without revealing its true nature.
  • Indirect Shellcode Execution: FatMalloc executes its shellcode indirectly using the Windows multimedia timer API. Instead of creating a new, easily detectable thread, the crypter passes the shellcode’s address as user data to the timeSetEvent function. This invokes the shellcode through a callback after 100 milliseconds, making the execution appear to originate from winmm.dll and bypassing security tools that monitor direct thread creation.

The shellcode then decrypts itself using a block-based XOR method before decompressing the HwAudKiller payload into memory using LZNT1 compression.

HwAudKiller’s Kernel-Mode Evasion

HwAudKiller drops the Huawei audio driver (HWAuidoOs2Ec.sys) to disk, renaming it as Havoc.sys, and registers it as a kernel service. Crucially, this driver possesses a valid Huawei digital signature, allowing Windows to load it without triggering security alerts.

The tool then continuously loops through all running processes every 100 milliseconds. It sends the process IDs (PIDs) of targeted security processes to the driver via IOCTL 0x2248DC. The driver, operating in kernel mode, calls ZwTerminateProcess to kill 23 specific security processes, effectively bypassing all user-mode protections implemented by these EDR solutions.

Broader Campaign Indicators

Beyond the tax-themed lures, the threat actor’s exposed open directory also revealed a fake Google Chrome update page containing Russian-language JavaScript comments, suggesting a Russian-speaking developer behind the operation. Both the tax and Chrome update lures pull their payloads from the same 4sync file-sharing infrastructure. This indicates that these are not isolated incidents but rather components of an organized, multi-front social engineering campaign.

What You Should Do

  • Verify Sources for Tax Forms: Always download official tax forms directly from IRS.gov or other verified government websites. Exercise extreme caution with sponsored search results, especially those purporting to offer government documents.
  • Scrutinize Remote Monitoring Tools: IT teams should implement strict allowlisting policies for approved Remote Monitoring and Management (RMM) tools. Any trial instance of ScreenConnect, particularly those exhibiting “instance-*” relay patterns, should be flagged as highly suspicious and investigated immediately.
  • Monitor Kernel Driver Creation: Configure Sysmon Event IDs 6 (Driver Loaded) and 7045 (Service Installed) to alert on kernel driver creation, especially from temporary directories.
  • Investigate Untrusted Executables: Any unsigned binary executed from a legitimate application’s working path, such as ScreenConnect’s directory, warrants immediate and thorough investigation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareransomwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Citrix NetScaler ADC and Gateway Flaws Let Attackers Remotely Execute Code

Next Post

Mazda Data Breach Exposes Employee, Partner Records via System Vulnerability

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us